[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs on OUs and their children/leaves

To: openldap-software@OpenLDAP.org
Subject: ACLs on OUs and their children/leaves
From: Markus Wernig <listener@wernig.net>
Date: Sat, 19 Feb 2005 12:43:40 +0100
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all

I'm stuck with implementing a certain type of policy in OpenLDAP:

I need to group entries (people) in such a way that only those who have
the group password have read/write access to the entries.
Here's what I came up with after studying the handbook and google:

[root defs skipped]

DN: ou=users,dc=domain,dc=tld
OU: users
objectclass: organizationalUnit

	DN: ou=group-1,ou=users,dc=domain,dc=tld
	OU: group-1
	objectclass: organizationalUnit
	userPassword: {SHA}topsecret

		DN: cn=User One,ou=gruoup-1,ou=users,dc=domain,dc=tld
		OU: users
		OU: group-1
		mail: userone@domain.tld
		objectClass: inetorgPerson
		[...]

		DN: cn=User Two,ou=group-1,ou=users,dc=domain,dc=tld
		OU: users
		OU: group-1
		mail: usertwo@domain.tld
		objectClass: inetorgPerson
		[...]

	DN: ou=group-2,ou=users,dc=domain,dc=tld
	OU: group-2
	objectclass: organizationalUnit
	userPassword: {SHA}evenmoretopsecret

		DN: cn=User Three,ou=group-2,ou=users,dc=domain,dc=tld
		OU: users
		OU: group-2
		mail: userthree@domain.tld
		objectClass: inetorgPerson
		[...]

		DN: cn=User Four,ou=group-2,ou=users,dc=domain,dc=tld
		OU: users
		OU: group-2
		mail: userfour@domain.tld
		objectClass: inetorgPerson
		[...]

	{etc.}

This seems clear, so far. What I'm not getting into my head is: how to
set ACLs on group-{1:n} in such a way that only those who bind to the
server with a DN of "ou=group-{X},ou=users,dc=domain,dc=tld" and the
userPassword set for group-{X} can read/write the entries
(inetorgPerson) in that OU. The problem is that there is no real naming
convention for the groups (not regex-able), and that they tend to be
rather dynamic. Plus: There's no way of retricting access to certain,
static names that I could predefine in an ACL, so I think I need a
dynamic approach.

I've tried the following (in slapd.conf), which generates a slapd
startup error and failure:
# ACLs
access to attrs=userPassword
~        by self write
~        by * auth

access to *
~        by self write
~        by users search

access to dn.sub="ou=users,dc=domain,dc=tld"
~       by dnattr="ou" write

Would anybody have a pointer for a lost soul?

/cluelessly: markus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCFyZs8BX/d8pVi/cRAvfAAJ0fVfKu9hwR3/cRx/IV5eBb6RQT8wCgz6bX
K7W7lQojugw6md3bU4bi2uQ=
=ehxs
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: ACLs on OUs and their children/leaves
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: back_meta: adding attribute to search result
Next by Date: Re: Best book on OpenLDAP SysAdmin?
Index(es):
- Chronological
- Thread